VDB
KO
CRITICAL 9.8

GHSA-hm2w-vr2p-hq7w

UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen

Details

`uefi-firmware` contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `ReadCLen()` reads `Number = GetBits(Sd, CBIT)` with `CBIT = 9`, so `Number` can be as large as `511`, while the destination array `Sd->mCLen` has `NC = 510` elements. the loop writes while `Index < Number` without enforcing `Index < NC`. additionally, the `CharC == 2` run-length path performs `GetBits(Sd, 9) + 20`, allowing up to `531` zero writes through `Sd->mCLen[Index++] = 0`.

Reachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `DecodeC()` -> `ReadCLen()`.

Minimum impact is a deterministic crash; depending on build/runtime details, the heap memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.

- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145> - fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e> - upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / uefi-firmware
Introduced in: 0

No fixed version published yet for uefi-firmware (pip). Pin to a known-safe version or switch to an alternative.

References